The Case for Cyber-Security in a Word: C.A.R.E.

There seems to be a cognitive dissonance around data security with insurance advisors and agents.

Many of us don’t think twice about giving our credit card to a server at a restaurant. Perhaps this is why credit card chip readers were invented to keep you in possession of your card? Sensitive and confidential information is sent every day via email and people don’t even give it a second thought.

Recent email scandals of political figures may have changed that a bit, but most people still think that since they aren’t a public figure why would anyone bother? And, if the emails and phone calls we receive are any testament, many advisors today still think the old filing system method of locking up the files at night is better protection than a cyber-secure server.

We believe it IS NOT and here’s why in a word: C.A.R.E.

C is for CONDUCT
A is for ACCURACY
R is for RETENTION
E is for EFFICIENCY

Conduct

The Department of Labor’s Impartial Conduct Standards require that you act with Prudence, Care, and Diligence when making recommendations and servicing your clients. The second part – servicing - is important because it means that the standard is ongoing, not just at the time of the recommendation.

That means you must protect your client’s personal information at ALL TIMES. Spending $1,000 to $3,000 on a fireproof safe is certainly a careful and diligent approach to addressing protection, but it is not enough. Your clients deserve that same protection during the day.

Digital data collection and retention in a cyber-secure cloud that follows federal and state guidelines for cyber-security standards protects the data 24 X 7 X 365. Paper files, PCs and jump drives are open during the day. The data can be seen by anyone. Paper files left on the desk during breaks and lunch can be easily mishandled or misappropriated. PCs on private servers are more vulnerable to hackers and fraudsters than cyber-secure servers. Jump sticks are easily pocketed.

Cyber-security manager servers not only watch for burglary at night, they document and record all activities during the day - who is accessing, how long they are accessing, what do they do when they are accessing. Cyber-security managers have years of experience and training in activity that may be suspicious or potentially harmful.

Accuracy

In addition to maintaining data, Impartial Conduct Standards require that you PROTECT the data from errors and manipulation. Compliant cyber-security systems encrypt all data so it cannot be changed or altered.

Encryption has a long history dating back to when the ancient Greeks used a tool called a Scytale to help encrypt their messages more quickly using a transposition cipher. They would simply wrap the strip of parchment around the cylinder, write out the message, and then when unwound wouldn’t make sense.

During World War II, the Germans used the Enigma machine to pass encrypted transmissions back and forth. It took years before the Polish could crack the messages, and give the solution to the Allied forces, which was instrumental to their victory.

Today’s encryption technology has much progressed and can be accomplished using tools available to individuals as well as to system developers. There are two types of encryption: symmetric and asymmetric. Without getting too technical here, symmetric is when all people sharing data have the same key.

A key can be in the form of a physical key used to open a locked file cabinet, a key such as a shared-login and password or vault code. Asymmetric encryption is a key that is not shared, but one that is unique to each individual who is granted access to the data.

It is easy to understand how most security experts believe asymmetric encryption is a more secure protection than symmetric. First, with asymmetric encryption you know who is accessing the information as well as when and what is done during the access. It is difficult, if not impossible, to have multiple safe codes or separate locks on file drawers.

And, while personalized logins and passwords can be developed for electronic files, it is more expensive to incorporate and maintain. A system that utilizes asymmetric encryption for its stored data, is easily the most secure method of protecting the data from inappropriate access, manipulation or theft.

Retention

Impartial conduct standards require that you maintain all records for a minimum of six years. A one cubic foot can house about 2,000 pages according to The School Archivist. If you consider a typical client’s file may hold about 20 pages (if you don’t house the application and suitability forms).

That would be about 100 clients over a six-year period or about 16 clients a year. Not a lot of clients to run a business, but if you digitalize the data, it will save you space.

Consider that 1 gigabyte holds about 900,000 text files and after time invested in scanning, downloading and storing, you can hold much more than you can on paper. You must be sure, however, that you have processes and procedures in place to secure the digital information.

Unfortunately, the do-it-yourself security system does open your business to potential legal exposure with easy-to-pocket jump drives and unencrypted data-breach vulnerability. By exposure, consider a recent court case that alleges that the firm was negligent and engaged in malpractice (read: prohibited transaction) by allowing information security vulnerabilities to develop that created risks to client information.

Notably, the complaint does not allege that the firm actually suffered a compromise of sensitive information. In other words, the lawsuit is based on the firm’s state of security that may make it vulnerable to an attack in the future.

Efficiency

Most carriers with whom we speak are moving toward electronic application submission and processing. They’ve spent thousands, if not millions, of dollars to build the infrastructure necessary for e-application processing. While security is certainly a reason for the change, financial reasons also play an important role in the evolution and ultimate complete transition to e-applications.

Applications and forms that are completed and sent electronically can be processed faster. That means policies can be issued faster – shortening the time between policy application and delivery. Shorter times lessen the likelihood of buyer’s remorse or a competing advisor’s influencing a different direction.

Financial rationale should also be a consideration for utilizing electronic data collection and application processing. Shorter issuing timelines mean commissions are paid faster. That is good for business and for bill collectors and payroll recipients.

Advisors who provide insurance solutions for their clients all understand the concept of time value of money. Cyber-secure electronic data collection and processing is certainly a time saver and, therefore, a VALUE.

Conclusion

Evidence supporting the superiority of cyber-secure electronic record retention over paper or home-grown digital storage if easy to find on the web. This paper was published as long ago as 1996 by Journal of American Medical Informatics Association, but it is even truer today with increasing technological advances in cyber-security.

The paper is said to be a research source for the current HIPPA record retention standards which are good benchmarks when measuring against a record retention solution you are considering.

Currently there is no legal or even regulatory requirement that you use cyber-secure data storage procedures. With the onset of the DOL Fiduciary Rule, there are many new systems available for complying with the Impartial Conduct Standards, including our own, AssessBEST.

These system providers have already spent a lot of money to build a data collection and storage system that complies with federal and state cyber-security guidelines. What this means to you, the advisor, is you pay less (and avoid mistakes) than if you build your own.

Advisors are wise to demonstrate that they are using CARE when handling and storing personal client information? Those who can’t, may be inviting problems down the road.

Kim O’Brien is a 35-year veteran of the insurance industry specializing in guaranteed annuities and life insurance. She is the current CEO of Americans for Annuity Protection and Founder of AssessBEST, Inc., a sales and compliance software system. Visit www.AAPnow.com or www.AssessBEST.com for more information.

This article is provided for educational and informative purposes only and not for the purpose of providing legal advice. Readers should consult with their own legal and compliance counsels to obtain guidance and direction with respect to any issue or question.Contact Kim at kobrien@innfeedback.com.